Authentication techniques are used to ensure that actions, for example accessing a computer or other resource, are performed only by an authorized human or other user. One way that websites and other electronic services authenticate their users is by requiring those users to supply a username and a valid password before being granted access. Typically the password is selected by the user the first time the user visits the site (e.g., as part of a registration process), and may be changed by the user as desired. Unfortunately, users sometimes forget their passwords—especially if the password is complex or used infrequently. Passwords can also be difficult to type, for example if the user is using a client with limited input capabilities. Passwords are also subject to compromise by nefarious individuals, such as through guessing, insecure storage by the website/service, and attacks against the user, such as through keystroke logging. Therefore, even when a service provider observes a valid password being entered, there is a risk that the password has been stolen and is being entered by an attacker. Further, in some circumstances devices are linked with user accounts, and allow access to the account to anyone with access to the device, increasing the risk of unauthorized use of devices, whether by a person or a virus.